Hi,
I have a firewall running IPTABLES. I have tried to route sip traffic from my WAN(eth3) interface to a VLAN(eth2.2) interface, however the data will not route to the VLAN it keeps routing to the default interface(eth2). Does anyone have an idea as to what I need to look for?
Regards
Jennifer Botten
ETECH
Tel: +2787 150 5285
Fax: 086 638 2412
Mobile: +27 82 496 4009
E-Mail: mailto:jennifer@etech.co.za jennifer@etech.co.za
Website: http://www.etech.co.za/ www.etech.co.za
cid:image001.gif@01CBE895.00AF7120
The views expressed in this email are, unless otherwise stated, those of the author and not those of the Etech or its management. The information in this email is confidential and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted in reliance on this, is prohibited and may be unlawful. Whilst all reasonable steps are taken to ensure the accuracy and integrity of information and data transmitted electronically and to preserve the confidentiality thereof, no liability or responsibility whatsoever is accepted if information or data is, for whatever reason, corrupted or does not reach its intended destination.
Hi Jennifer,
Could you copy the iptables rules?
Julio
On 7/22/2011 8:49 AM, Jennifer Botten wrote:
Hi,
I have a firewall running IPTABLES. I have tried to route sip traffic from my WAN(eth3) interface to a VLAN(eth2.2) interface, however the data will not route to the VLAN it keeps routing to the default interface(eth2). Does anyone have an idea as to what I need to look for?
Regards
*Jennifer Botten***
*ETECH*
Tel: +2787 150 5285
Fax: 086 638 2412
Mobile: +27 82 496 4009
E-Mail: jennifer@etech.co.za mailto:jennifer@etech.co.za
Website: www.etech.co.za http://www.etech.co.za/
*cid:image001.gif@01CBE895.00AF7120*
The views expressed in this email are, unless otherwise stated, those of the author and not those of the Etech or its management. The information in this email is confidential and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted in reliance on this, is prohibited and may be unlawful. Whilst all reasonable steps are taken to ensure the accuracy and integrity of information and data transmitted electronically and to preserve the confidentiality thereof, no liability or responsibility whatsoever is accepted if information or data is, for whatever reason, corrupted or does not reach its intended destination.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hi Julio,
-A FORWARD -i eth2.2 -s 192.168.1.0/24 -d 10.30.4.28 -p udp -j ACCEPT
-A FORWARD -i eth2.2 -s 192.168.1.0/24 -d 192.168.0.0/24 -p tcp -j ACCEPT
-A FORWARD -i eth1 -s 192.168.0.0/24 -d 192.168.1.0/24 -p tcp -j ACCEPT
-A FORWARD -i eth3 -s 10.30.4.28 -o eth2.2 -p udp -j ACCEPT
-A POSTROUTING -m helper --helper sip -m state --state ESTABLISHED,RELATED
Thanks
Jennifer
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of cbulist@gmail.com Sent: 22 July 2011 04:37 PM To: centos@centos.org Subject: Re: [CentOS] VLAN's
Hi Jennifer,
Could you copy the iptables rules?
Julio
On 7/22/2011 8:49 AM, Jennifer Botten wrote:
Hi,
I have a firewall running IPTABLES. I have tried to route sip traffic from my WAN(eth3) interface to a VLAN(eth2.2) interface, however the data will not route to the VLAN it keeps routing to the default interface(eth2). Does anyone have an idea as to what I need to look for?
Regards
Jennifer Botten
ETECH
Tel: +2787 150 5285
Fax: 086 638 2412
Mobile: +27 82 496 4009
E-Mail: jennifer@etech.co.za
Website: www.etech.co.za http://www.etech.co.za/
cid:image001.gif@01CBE895.00AF7120
The views expressed in this email are, unless otherwise stated, those of the author and not those of the Etech or its management. The information in this email is confidential and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted in reliance on this, is prohibited and may be unlawful. Whilst all reasonable steps are taken to ensure the accuracy and integrity of information and data transmitted electronically and to preserve the confidentiality thereof, no liability or responsibility whatsoever is accepted if information or data is, for whatever reason, corrupted or does not reach its intended destination.
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Friday, July 22, 2011 10:55 PM, Jennifer Botten wrote:
Hi Julio,
-A FORWARD -i eth2.2 -s 192.168.1.0/24 -d 10.30.4.28 -p udp -j ACCEPT
-A FORWARD -i eth2.2 -s 192.168.1.0/24 -d 192.168.0.0/24 -p tcp -j ACCEPT
-A FORWARD -i eth1 -s 192.168.0.0/24 -d 192.168.1.0/24 -p tcp -j ACCEPT
-A FORWARD -i eth3 -s 10.30.4.28 -o eth2.2 -p udp -j ACCEPT
-A POSTROUTING -m helper --helper sip -m state --state ESTABLISHED,RELATED
dumb question but do you have ip forwarding enabled?
On 7/22/2011 8:49 AM, Jennifer Botten wrote:
Hi,
I have a firewall running IPTABLES. I have tried to route sip traffic from my WAN(eth3) interface to a VLAN(eth2.2) interface, however the data will not route to the VLAN it keeps routing to the default interface(eth2). Does anyone have an idea as to what I need to look for?
Vlan interfaces should work like any other interface in terms of routing. Things should follow the most specific route (smallest netmask).
On 07/22/11 6:49 AM, Jennifer Botten wrote:
Hi,
I have a firewall running IPTABLES. I have tried to route sip traffic from my WAN(eth3) interface to a VLAN(eth2.2) interface, however the data will not route to the VLAN it keeps routing to the default interface(eth2). Does anyone have an idea as to what I need to look for?
To route stuff out different interfaces, I found I had to use ip rules.
In my case, I wanted specific local hosts (on the private LAN) to route out an alternate interface, so I did something like...
iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j SNAT --to $net2.98
ip rule add from $net2.96/28 table 2 ip rule add from 10.0.1.0/24 table 2
ip route add default via $net2.97 dev $port2 table 2
to explain this, the LAN is 10.0.0.0/16. hosts on 10.0.0.0-255 are to be routed out the default interface, while a few hosts specifically put on 10.0.1.98-110 are to be routed out this 2nd interface, $net2.96/28
the two ip rule commands tag any traffic that is from either the second external circuit or the reserved subnet of the local network to use 'table 2'. the ip route command says anything thats table 2 is to use the second circuit's gateway and port
On 7/22/2011 1:17 PM, John R Pierce wrote:
I have a firewall running IPTABLES. I have tried to route sip traffic from my WAN(eth3) interface to a VLAN(eth2.2) interface, however the data will not route to the VLAN it keeps routing to the default interface(eth2). Does anyone have an idea as to what I need to look for?
To route stuff out different interfaces, I found I had to use ip rules.
In my case, I wanted specific local hosts (on the private LAN) to route out an alternate interface, so I did something like...
iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j SNAT --to $net2.98
ip rule add from $net2.96/28 table 2 ip rule add from 10.0.1.0/24 table 2
ip route add default via $net2.97 dev $port2 table 2
to explain this, the LAN is 10.0.0.0/16. hosts on 10.0.0.0-255 are to be routed out the default interface, while a few hosts specifically put on 10.0.1.98-110 are to be routed out this 2nd interface, $net2.96/28
You need this because you want to route based on the source address, not the destination. That might be what the OP wants too, but it's not clear from the question and doesn't have anything to do with the interfaces being vlans.
On 07/22/11 11:29 AM, Les Mikesell wrote:
You need this because you want to route based on the source address, not the destination. That might be what the OP wants too, but it's not clear from the question and doesn't have anything to do with the interfaces being vlans.
well, I suspect he wants to route based on it being SIP traffic, which is typically 5060 or 5061 tcp or udp, so will have iptables NAT these to an IP on the subnet of the alternate VLAN, then he'd use that VLAN's address as the rule for the source-based routing.
this sort of thing really belongs on an iproute2/netfilter mail list, however, as its not at all centos specific.
On 07/23/11 10:22 AM, Kristopher Kane wrote:
this sort of thing really belongs on an iproute2/netfilter mail list, however, as its not at all centos specific.
So John, exactly what is CentOS specific? Should I only read the emails with release speculation?
things related to the packaging, repos. at least stuff thats EL3/4/5/6 related.
otherwise, the mission creep on this list turns it into a free for all.
hey I'm having problems with my set-top tv box, and it runs linux inside, and centos is linux, can you guys ....?
no, I don't think so.
now, in reference to the OP's issues, a centos/el specific question might be how to package iptables commands within the standard EL /etc tree and work with the existing firewall scripts, or where to put ip rule/route commands (where SHOULD you put those, anyways? I dunno. mine end up in /etc/rc.d/rc.firewall which is invoked from rc.local and I *know* thats sloppy as heck).
On Sat, Jul 23, 2011 at 3:02 PM, John R Pierce pierce@hogranch.com wrote:
On 07/23/11 10:22 AM, Kristopher Kane wrote:
this sort of thing really belongs on an iproute2/netfilter mail list, however, as its not at all centos specific.
So John, exactly what is CentOS specific? Should I only read the emails with release speculation?
things related to the packaging, repos. at least stuff thats EL3/4/5/6 related.
otherwise, the mission creep on this list turns it into a free for all.
hey I'm having problems with my set-top tv box, and it runs linux inside, and centos is linux, can you guys ....?
no, I don't think so.
now, in reference to the OP's issues, a centos/el specific question might be how to package iptables commands within the standard EL /etc tree and work with the existing firewall scripts, or where to put ip rule/route commands (where SHOULD you put those, anyways? I dunno. mine end up in /etc/rc.d/rc.firewall which is invoked from rc.local and I *know* thats sloppy as heck).
Even after this explanation I don't understand your objection to helping someone with a firewall and routing issue on a CentOS box. You might have a point if the executables didn't come from packages in the canonical CentOS repo.
On 07/23/11 12:09 PM, Tom H wrote:
Even after this explanation I don't understand your objection to helping someone with a firewall and routing issue on a CentOS box. You might have a point if the executables didn't come from packages in the canonical CentOS repo.
"I'm writing my doctoral thesis on pygmy rhino genetic marker traits, I am using LibreOffice on CentOS. Should I put the 1 or 2 pages of abstract before or after my table of contents".
On Sat, 2011-07-23 at 12:26 -0700, John R Pierce wrote:
On 07/23/11 12:09 PM, Tom H wrote:
Even after this explanation I don't understand your objection to helping someone with a firewall and routing issue on a CentOS box. You might have a point if the executables didn't come from packages in the canonical CentOS repo.
"I'm writing my doctoral thesis on pygmy rhino genetic marker traits, I am using LibreOffice on CentOS. Should I put the 1 or 2 pages of abstract before or after my table of contents".
If it is your second or fourth attempt then ensure the abstract exceeds 2 pages otherwise it should be a single page if possible but certainly no more that an absolute maximum of 2 pages.
Do not forget to include the acknowledge at the bottom of each page that you are using LibreOffice and, of course, the correct Centos version which you can obtain by typing uname -a into a terminal window.
Some versions of Centos default to bad spellings, i.e. they use the broken version of English commonly known as 'American English but if you change your English configuration by typing, into a terminal window, Centos = real english, your spell checker should give you the correct results. Please note that syntax is scheduled to change in Centos 6.1 and may affect all versions of M$ Windoze 8, Apple Mac Snowplough and FreeBSD versions 216 and 217. Solaris version 13 has already changed to use the revised syntax.
Glad I could help you.
On Sat, Jul 23, 2011 at 3:26 PM, John R Pierce pierce@hogranch.com wrote:
On 07/23/11 12:09 PM, Tom H wrote:
Even after this explanation I don't understand your objection to helping someone with a firewall and routing issue on a CentOS box. You might have a point if the executables didn't come from packages in the canonical CentOS repo.
"I'm writing my doctoral thesis on pygmy rhino genetic marker traits, I am using LibreOffice on CentOS. Should I put the 1 or 2 pages of abstract before or after my table of contents".
:)
I was of course assuming that the query was about system administration and not anything remotely similar to what you're suggesting!
I get your point that there has to be a limit but I still think that the limit that you're proposing's too restrictive.
Hi All,
Thanks for everyone's feedback. The issues was related to our SIP provider routing private IP's to get the SIP to work (we were not aware of this). We configured VLAN's and put the SIP phones on a different range that the SIP provider did not route. However all your advice and assistance is greatly appreciated.
Regards
Jennifer Botten ETECH
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Tom H Sent: 24 July 2011 02:57 PM To: CentOS mailing list Subject: Re: [CentOS] VLAN's
On Sat, Jul 23, 2011 at 3:26 PM, John R Pierce pierce@hogranch.com wrote:
On 07/23/11 12:09 PM, Tom H wrote:
Even after this explanation I don't understand your objection to helping someone with a firewall and routing issue on a CentOS box. You might have a point if the executables didn't come from packages in the canonical CentOS repo.
"I'm writing my doctoral thesis on pygmy rhino genetic marker traits, I am using LibreOffice on CentOS. Should I put the 1 or 2 pages of abstract before or after my table of contents".
:)
I was of course assuming that the query was about system administration and not anything remotely similar to what you're suggesting!
I get your point that there has to be a limit but I still think that the limit that you're proposing's too restrictive. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Sat, July 23, 2011 15:02, John R Pierce wrote:
On 07/23/11 10:22 AM, Kristopher Kane wrote:
this sort of thing really belongs on an iproute2/netfilter mail list, however, as its not at all centos specific.
So John, exactly what is CentOS specific? Should I only read the
emails with release speculation?
things related to the packaging, repos. at least stuff thats EL3/4/5/6 related.
otherwise, the mission creep on this list turns it into a free for all.
hey I'm having problems with my set-top tv box, and it runslinux inside, and centos is linux, can you guys ....?
From the mailing list page:
"The CentOS discussion and information list is a general purpose communication list for centos."
Note the concept of "general purpose" places no exceptionally stringent constraints on subject matter. If you feel strongly that your needs are limited to "things related to the packaging, repos" then might I suggest that the centos-devel list better meets your requirements than this one.
-
Always Learning -
cbulist@gmail.com -
Christopher Chan -
James B. Byrne -
Jennifer Botten -
John R Pierce -
Kristopher Kane -
Les Mikesell -
Tom H